Ukraine at D+658: Maximalist rhetoric from the Kremlin.
the cyberwire logoDec 14, 2023

Russia increases cyber and kinetic strikes against civilians and infrastructure as winter closes in. The SVR undertakes a cyber campaign against software supply chains.

Ukraine at D+658: Maximalist rhetoric from the Kremlin.

Both Ukrainian and Russian sources report difficulties with winter weather. Russian missile strikes have concentrated on civilian residential areas during a period of heightened cyberattack against Ukraine's largest mobile service provider.

This morning's situation report from the UK's Ministry of Defence (MoD) concentrates on the fate of a newly formed division in combat this month. "In early December 2023, the newly-formed 104th Guards Airborne Division (104 GAD) of the VDV (Russia’s airborne forces) highly likely suffered exceptionally heavy losses and failed to achieve its objectives during its combat debut in Kherson Oblast. The operation took place after the division joined Russia’s Dnipro Group of Forces and its attempt to dislodge the Ukrainian bridgehead near the village of Krynky on the east bank of the Dnipro. 104 GAD was reportedly poorly supported by airpower and artillery, while many of the troops were highly likely inexperienced. Following the incident, Russian ‘milbloggers’ called on the Dnipro Group of Forces Commander, Colonel General Mikhail Teplinsky, to resign. This is a blow to Teplinsky’s reputation as one of the more capable Russian field commanders of the war: in his routine role he is also commanding general of the VDV."

Russian imperial rhetoric and maximalist goals.

Russia's President Putin, in his annual marathon ask-me-anything carefully staged media availability, said, the New York Times reports, that his war aims in Ukraine hadn't changed. He's open to peace negotiations, but not open to compromise: the special military operation will continue, the AP reports him as saying, until his objectives are met. He expressed confidence that Western support for Ukraine was drying up, and said (implausibly) that Russia's army had so many willing volunteers that there's no need for mobilization. He also said the Russian economy remained strong, despite some difficulties. (US estimates say the Russian economy is some 5% smaller than it would be had there been no invasion of Ukraine.)

The Institute for the Study of War (ISW) sees a return to expansive Russian claims that Ukraine is simply historically Russian territory. The compromise position Deputy Chairman of Russia's Security Council Medvedev enunciated was that the Lviv Oblast on the western border of Ukraine might be permitted to exist as a rump state. But the official line is now that Russia is engaged in liberation of its historic territory, and it's doubtful that Lviv would escape such designation. (Poland, Latvia, Lithuania, Estonia, Moldova and Finland would also probably figure in such revanchist rhetoric, to say nothing of the nations in other parts of the Near Abroad.)

One more note from President Putin's public meeting: he says he doesn't use a body double.

SVR exploits JetBrains TeamCity vulnerability.

The US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) have issued a Joint Cybersecurity Advisory warning that Russia's SVR is engaged in widespread exploitation of CVE-2023-42793. The Russian foreign intelligence service (whose cyber operations have been tracked as APT29, the Dukes, CozyBear, NOBELIUM, and Midnight Blizzard) has been "targeting servers hosting JetBrains TeamCity software since September 2023."

TeamCity is used by developers to manage and automate compilation, building, testing, and releasing software. Successful exploitation could provide the SVR with access to developers' source code, signing certificates, and the compilation and deployment processes themselves. It would represent a software supply chain threat. The SVR has engaged in this sort of attack before, most notably in 2020, when it accessed and compromised SolarWinds and its customers. So far SVR's exploitation of TeamCity hasn't had comparably wide-reaching effects. The Joint Advisory says, "The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments." The victimology shows no clear pattern beyond simple vulnerability: the attackers chose targets opportunistically. If an organization was exposed to CVE-2023-42793, that was enough for the SVR's targeteers.

The Joint Advisory includes the description of attack techniques, indicators of compromise, and recommended mitigations one would expect, but it also includes a long review of the SVR's history of offensive cyber operations, beginning in 2013. "The authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations."

Researchers at Fortinet worked with some of Cozy Bear's victims and offer a detailed analysis of the attackers' initial entrance through the authentication bypass vulnerability, and their post-exploitation behavior, in particular the use they made of GraphicalProton malware to maintain persistence. GraphicalProton has been associated with other SVR operations.

Update: the cyberattack against Kyivstar.

Ukraine's SBU says that a Russian "pseudo-hacker group" has claimed responsibility for the cyberattack that took down the mobile telecommunications and Internet service provider Kyivstar earlier this week. The SBU doesn't identify the group, but says that it works for Russia's GRU, affording Moscow's military intelligence service a degree of plausible deniability. The Kyiv Independent reports that the self-identified Russian group, Solntsepek, said in a Telegram channel that "We attacked Kyivstar because the company provides communications to the Armed Forces of Ukraine, as well as government agencies and law enforcement agencies of Ukraine." The group claimed that it "destroyed" ten-thousand computers, more than four-thousand servers, and all cloud storage and backup systems associated with Kyivstar. That's clearly exaggerated, but the disruption was nonetheless widespread and extensive. Ars Technica notes that Solntsepek has been associated with the GRU's Sandworm activity.

Initial claims of responsibility by KillNet lack credibility. Dan Black, Principal Analyst, Mandiant Intelligence - Google Cloud, sent us his team's assessment of KillNet's claims. They think it's empty gasconade. "Mandiant has noted the claim of responsibility from KillNet. We regard this claim skeptically. Previous KillNet operations have not demonstrated capabilities that would allow them to conduct this level of operation. In addition this claim of responsibility does not match that pattern and was released hours after the operation and does not release any 'proof,' raising the possibility that it is simply an opportunistic claim, rather than a legitimate one." Thus KillNet's new management seems to be stealing the inglory from the actual hackers.

The Kyiv Post has a useful timeline of the attack. It began Tuesday morning, and its effects continue to be felt. Kyivstar has begun to restore service, with voice service over landlines coming back online first, but recovery will be a protracted process.